NSA warns of Chinese state hackers targeting Citrix

The National Security Agency sent companies a warning notice Tuesday that Chinese state-linked cyberspies are targeting the multinational cloud-computing firm Citrix.

The electronic spy agency said in its notice that a group known as Advanced Persistent Threat 5, or APT5, a security designation for a Chinese state-backed hacking group known to target telecommunications companies, is operating against a specific Citrix software called application delivery controllers (ADCs).

The targeting of Citrix ADCs can “facilitate illegitimate access to targeted organizations by bypassing normal authentication controls,” the agency said.

NSA, along with other security agencies, produced “threat hunting guidance” for companies and organizations using Citrix to spot cyberattacks from the group.

Citrix products are in use by over 400,000 clients worldwide, including 99% of Fortune 100, and 98% of the Fortune 500 companies.

The company specializes in “application virtualization,” software that encapsulates computer programs within an operating system without full installation.

The group ATP 5, also known to NSA and security officials by the codenames UNC2630 and MANGANESE, has been engaged in cyberoperations to steal information since 2007, according to the security firm Mandiant.

Meanwhile on Tuesday, Citrix sent out software patches to its customers to mitigate what analysts say is a “zero-day” security flaw in its software that left unpatched could be used by Chinese hackers to gain unauthorized computer network access.

The company said “a vulnerability has been discovered in Citrix Gateway and Citrix ADC … that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance.”

“We are aware of a small number of targeted attacks in the wild using this vulnerability,” the company said.

The Citrix software zero-day vulnerability is the second of its kind to be uncovered this week.

Earlier, the security firm Fortinet announced it had discovered and patched a zero-day flaw in its FortiOS SSL-VPN product.

The software flaw could allow “a remote unauthenticated attacker to execute arbitrary code or commands.”

“Fortinet is aware of an instance where this vulnerability was exploited in the wild and recommends immediately validating your systems against the following indicators of compromise,” the company said.

The cybersecurity news outlet SecurityWeek said the two zero-day bugs are among at least 50 public zero-day attacks uncovered this year.

China is continuing to engage in large-scale cyberoperations aimed at stealing information and penetrating networks in preparation for sabotage in a future conflict.

China “presents a sophisticated, persistent cyber-enabled espionage and attack threat to military and critical infrastructure systems, and presents a growing influence threat,” the Pentagon’s latest report on the Chinese military stated.

“The PRC can launch cyberspace attacks that, at a minimum, can cause localized, temporary disruptions to critical infrastructure within the United States, and the PRC believes these capabilities are even more effective against militarily superior adversaries that depend on information technologies,” the report said, using the acronym for People’s Republic of China.

According to cybersecurity reports, APT 5 was traced to cyberattacks on dozens of U.S. and European organizations that use secure virtual private networks, or VPNs.

“Many of the targeted organizations operate in defense, government, high-tech, transportation, and financial sectors aligning with Beijing’s strategic goals mentioned in China’s recent 14th Five Year Plan,” the security firm Cyware said of the group.

Mandiant, another security firm, said APT5 targeted regional telecommunications providers and Asia-based employees of global telecommunications and tech firms.

The group also is active in cyberattacks against high-tech manufacturing, and military application technology in the U.S., Europe, and Asia, Mandiant stated in a recent report.

“APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications,” the Mandiant report said.

“In 2015, APT5 compromised a U.S. telecommunications organization providing services and technologies for private and government entities.”

The Chinese hackers of APT 5 downloaded and modified router data on company networks routers and stole files related to military technology from a South Asian defense organization, the report said.

APT5 is said to be a large Chinese government-linked group made up of several subgroups that use distinct tactics and infrastructure in electronic attacks.

Another tool is the use of keystroke monitoring tools to gain log-in credentials.